Expert Opinion On Carbanak Malware Uses Google Svcs As C&C Servers

Following the reports that newer versions of Carbanak malware now use Google services to host command-and-control infrastructure to infect organizations and exfiltrate data (the Carbanak group has previously stolen more than $1 billion from banks around the world). IT security experts from Balabit, Lastline, CipherCloud and VASCO Data Security  commented below.

Balazs Scheidler, CTO and Co-founder at Balabit:

“This is important, as a lot of anti malware software will use IP address reputation and threat intelligence to identify malicious traffic. Because this control technique uses the very same services as legitimate Google services, it would be difficult to include in a blacklist.
Phishing and malware installation is an uphill battle enterprises are constantly fighting.  Organizations must concentrate on preventing and containing breaches, and especially on detecing those vectors where breached internal computers and user accounts are used to identify and exfiltrate their most important assets.

“We probably don’t store the most sensitive data assets in workstations, thus a breach only becomes really interesting once the breached workstation and user credentials are leveraged to go after an enterprise’s most valuable data and secrets.

“This is where the important role of privileged user behavior analytics comes into play. It can pinpoint the anomalous behaviors of hijacked accounts, which is a pretty good indicator of a breach happening.”

Christopher Kruegel, Co-founder, and CEO at Lastline:

“Because Carabanak malware samples we’ve analyzed are environmentally-aware with stealthy and evasive behaviors, they require a stealth sandbox to automatically detect them with an analysis environment that appears to be a victim’s system. Only then will banks and other organizations be protected against these evolving threats.”

.

.

Sundaram Lakshmanan, VP of Technology at CipherCloud:

“This latest attack is part of a disturbing trend: cloud applications are increasingly becoming vectors of choice for hackers – just like Email for Phishing, to spread malware into the enterprise. Despite the best efforts of Google and others, this demonstrates that you can’t put blanket trust in cloud services to protect your most sensitive data.”
.

.

John Gunn, VP of Communications at VASCO Data Security:

“The innovation demonstrated in attacks against financial transactions is improving at least as fast as the sophistication of our defenses. The result of this arms race is that, increasingly, the area of greatest vulnerability is the human factor. There is no patch for gullibility that can protect users from social engineering attacks. This is typically the first step in these types of attacks, and this will continue to compromise millions of users.”